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ABSTRACT 



An electronic asset system includes tamper-resistant elec- 
tronic wallets that store non-transferable electronic assets. 
To break such tamper-resistant wallets, the criminal is 
expected to spend an initial investment to defeat the tamper- 
resistant protection. 'ITie electronic assets are uniquely 
issued by an institution to a wallet (anonymously or non- 
anonymously). During expenditure, the electronic assets are 
transferred from the wallet to a recipient. Since the assets are 
non-transferable, they are marked as exhausted assets upon 
expenditure. The recipient then batch deposits the received 
electronic assets with a collecting institution (which may or 
may not be the same as the issuing institution). A fraud 
detection system samples a subset of the exhausted assets 
received by the recipient to detect "bad" assets which have 
been used in a fraudulent manner. Upqn^detectionrthe-fraud 
d9tection:system:identMes:the:ei^etronic^^ 
bad asset and marks it as a "bad waUet^rTKe fraud detecti^\ 



syslernHhenrcoiSpiles-a-lisl-of-bad-electronic-waUets-andi 
distributes the lisM o warn potential_r6cipients'^f the^acT^ 
^eiectronic-wallets.^\\^lgnTM ^P^"i», 
assets-(whether"frauduiently or not)rni?lntended"recipiei^ 
will cfiecirtlie~local~hot~list~of "bad-wallets-and re fuse' to 
transact business with the bad wallet, 

44 Claims, 4 Drawing Sheets 
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SYSTEM AND METHOD FOR DETECTING of bits that constitutes the electronic assets can be easily and 

FRAUDULENT EXPENDITURE OF rapidly replicated using computers. This presents a signifi- 

ELECTRONIC ASSETS cant risk of fraud. Criminals can reproduce the bit string of 

TFPHMTrAi RiPi n *° forged or counterfeited electronic 

ItCHNlCAL tlbLU ^ ^^^^^ ^ ^^^j recipient, the counterfeit bit string 

This invention relates to systems which exchange elec- offered by the criminal is identical to the expected asset bit 
tronic assets as representations of value. More-particuIarly„ string, rendering it difBcult to detect whether the offered bit 
thejnvention relates to systems and methods-for-detecting v string is the original asset or a reproduced asset that has been 

/fraudulclit"usc of electr6mc"aSeU^ used many times before. If successful, the criminals have the 

BACKGROUNDOF^THE INVENTION opportunity to multi-spend the same asset many times. This 

type of digital fraud is known as "double spending/* 
Electronic assets arc digital representations of value. proposed solution to this problem is to devise a 
Electronic assets might be used to represent cash, coins, ^y^^^^ that prohibits double spending. This solution is 
tokens, entertamment tickets, government entitlement centered on use of a tamper-"proof' electronic wallet which, 
provisions, and so one. by its design, makes it nearly impossible to modify or clone 
One attribute of electronic assets is transferability. Trans- the wallet to perform fraudulent transactions. Unfortunately, 
ferable electronic assets are similar to paper dollars in that su^h designs are never truly tamper-"proof," rather just 
the same assets can be exchanged, traded, and reused tamper-"resistam." In other words, if criminals were willing 
numerous times. Non -transferable electronic assets are used to invest the necessary capital, albeit large, they could 
only once, and then retired from circulation after this single ^ reverse engineer the electronic wallet to perform fraudulent 
use; they are not reused numerous times. This invention is tasks. The cost of breaking tamper-resistant devices varies 
particularly directed to non -transferable electronic assets. dramatically with the technology and the evolution of lech- 
Electronic assets are long, mostly random binary strings, nology over time, 
with some relatively small recognizable pattern that are Another proposed solution to double spending is to 
signed by the issuer. For instance, an electronic asset might 25 develop an online banking system to discover assets which 
consist of 500 bits in which the left most 400 bits are truly have been double spent. In this system, each electronic asset 
random, the right most 50 bits are an identifiable string (e .g., that is spent is coUected by a central bank or other institution 
all binary zeroes), and the intervening 50 bits are an expi- evaluated for possible double expenditure. Since the 
ration date. The binary strings are typically generated by an asset is non-transferable and can be spent only once, the 
institution that issues the electronic assets. Banks, ticket 33 discovery of identical assets reveals that the asset has been 
companies, federal or local government, and businesses are double spent. When a recipient receives a new asset, it uses 
all possible issuers of different kinds of electronic assets. the on-line banking network to determine whether that same 
Once issued, the electronic assets are carried in an elec- asset has been previously spent. The primary drawbacks of 
tronic storage facility, often referred to as an "electronic the online approach are the tremendous expense involved in 
wallet." Electronic wallets are tamper-resistant storage 35 managing an online system and the potentially long delay 
devices which make it difficult to commit fraud. The size of periods experienced when a recipient is attempting to verify 
the electronic wallet depends upon the kind and amount of a new asset. Another drawback is that not all recipients are 
assets to be stored thereon. As an example, an electronic online with the bank. For instance, the assets might be used 
wallet uses approximately 10 kilobytes of memory to store in off-line devices, such as vending machines or toll booths, 
$100 in units of $1 digital coins. 40 Attempting to network all possible recipient machines 

Driven by technological advances, there is an increasing would be extremely expensive, 

desire to conduct more commerce electronically, thereby A variation of the online bank system is for the bank to 

replacing traditional asset forms (bills, coins, ticket paper. offer "after the fact" exposure of double spenders, which is 

etc.) with electronic assets that represent them. A major parliculariy used in anonymous electronic asset systems. In 

segment of commerce is found at the low end of the value 45 this scenario, the bank evaluates each spent asset for pos- 

scale. 1Tiis commerce involves values equivalent to present sible double spending. As long as the user follows the 

day cash, such as paper bills (i.e., $1, $5, $10, $20, $50, and stipulated guidelines and spends each asset only once, the 

$100 bills) and coins (i.e., nickels, dimes, quarters, haff- user remains anonymous. However, if the user multi-spend 

dollars, and dollars). It is this low end of the market where the same asset, the bank detects the fraud and has enough 

online systems are simply too expensive or too slow. Users 50 information to identify the criminal user. 'Vho&Q culprits are 

are also more likely to desire anonymity since they may then sought out and prosecuted. 

dislike or distrust a system where every purchase, down to Like the online system, however, this "after the fact" 

vending machines and toll bridges, is monitored and traced. system has drawbacks in the enormous size and expense 

AdditionaUy, this low value end is where fraud is likely to required to store and track every asset. Moreover, due to the 

germinate because there is less incentive to detect fraud due 55 shear volume of assets being evaluated, detection and 

to the small value involved. In contrast, transactions involv- enforcement might be delayed long enough for the criminal 

ing electronic assets at the higher end of the value scale are to make an illegitimate profit and then slip away before 

more closely scrutinized by both parties and are often guided being apprehended. 

by rigid protocols involving signatures and conQrmalion of Accordingly, there is a need to design a system which 

available funds for the transactions. Also, in the higher end 60 facUitates use of electronic assets, even in the low value 

of the market, where credit and checks are used, the danger commerce segment.-while detecting and preventing fraud, 

of forging money do«s not east. Although there remains a SuchfFl^m should als^i^f^£oiInlei=vailing-goals.of, 

danger of users cheating each other, there is no danger of being^fficieinf reiiablerand cost-effective. ~ " " 

cheating the banking system, the Federal Reserve, and soon. I— ■ ' ' — 

This danger, however, exists with cash-like systems. 65 SUMIVIARY OF THE INVENTION 

One main problem with electronic assets is that they can This invention concerns an electronic asset architecture 

be easily duplicated. Unlike paper dollars or coins, a string which replaces or subsidizes expeasive and inefficient deler- 
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ministic fraud detection with probabilistic fraud detection. According^tO'this-prGbabilistic;]fraud_^ detection-scheme. 

This architecture attempts to detect fraud and eliminate thJ2aiMnal''migfit"successfu^ 

further fraud before the criminal has had an opportunity to assets during.initialj ransactions. Bu t,,dueJo early detection 

profit illegitimately. through samplingrthe criminal^is eventually-pr^ntcd^rom 

According to one aspect of this invention, an electronic 5 further fraudulent_use-of the,bad_vyallet. The fraucl^detection 

asset system includes tamper-resistant electronic wallets ^^o^ure^Chigh probabilily-beforeo^^ 

which store non-transferable electronic assets. The tamper- even on the initial investment_required toclonethe-wallet in 

resistant wallets are implemented as small portable compul- the'first placexnd:mikSan illegitffiiteprofitr Once fraud is 

ing devices with their own trusted displays and keyboards, detected,.furth^?^etuffion is pr^nteJT^ 

such as hand held computers, personal digital assistants, or 

laptop computers. The tamper-resistant technology make it BRIEF DESCRIPTION OF THE DRAWINGS 
difficult to directly open the wallet's memory to obtain the 

stored assets, or to communicate with the wallet other than 1 a general diagrammatic illustration of an elec- 

as specified by certain cryptographic protocol, which also Ironic asset system, 

protects the communication channel. To break such tamper- ^5 FIG. 2 is a diagrammatic illustration of the electronic 

resistant wallets, the criminal is anticipated to make an asset system in more detail than the general FIG. 1 illustra- 

initial investment to defeat the tamper-resistant protection. lion. 

The electronic assets stored on the wallets can be in the FIG. 3 is a diagrammatic illustration of a certification and 

form of cash, tokens, government entitlements, or the like. withdrawal process in an electronic asset system which is 

The assets are uniquely issued by an institution and assigned 20 implemented without anonymity. 

to a particular wallet. During expenditure, the electronic piG. 4 is a flow diagram of steps in a computer- 
assets are transferred from the wallets to a recipient, which implemented method for detecting fraudulent transactions 
is usually a merchant or a vendor, but not always; other user according to an aspect of this invention. 
waUets can also receive the transferred a^ts. Since the FIG. 5 is a diagrammatic illustration of a certification and 
assets are non-transferable, they are marked as exhausted 25 withdrawal process in an electronic asset system which is 
assets upon expenditure, llie recipient batch deposits once a implemented with anonymity, 
day the received electronic assets with a bank or other 

collecting institution (which may or may not be the same as DETAILED DESCRIPTION OF THE 

the issuing institution). PREFERRED EMBODIMENT 

The electronic asset system further includes a fraud 30 - „ . . , , , . 

detection system which samples a subset of the exhausted , ^he foUowing discussion assumes that the reader is 

assets received by the recipient and deposited in the bank. ^f"^'^'^' with electronic assets (or electronic tokens or 

For instance, the fraud detection system might sample one in > f cryptography. For a basic introduction of 

every 10,000 exhausted assets. The sampled assets are sent "^'^'"^ ^^^"'^ cryptography, the reader is directed to a text 

to the fraud detection system immediately, rather than 35 ^""^°^y ^mce Schneier and entitled Applied Cryptog- 

batched at the end of a day. The fraud detection system uses [^P^'y^ ^^"^^^ nn? 

the sample to detect "bad" assets which have been used in ^^^^^ ^^^n Wiley & Sons with copyright 1994, which is 

a fraudulent manner. Detection is performed by comparing ^^'^^y incorporated by reference. 

the exhausted assets in the sampled subset to determine FIG' ^ g*^"^''^l^y ^^^^^^ ^" electronic asset system 20. As 
whether there is a match. A match of two or more assets 40 ^^is disclosure, the term "electronic asset" means an 
indicates that those assets have been double spent. electronic representation of value, typically expressed in 
Upon detection, the fraud detection system identifies the binary bits, and might include tickets, tokens, cash, coins, 
electronic waUets that used the bad assets and marks the government entitlements, or the like, A "non-transferable 
waUets as "bad". The fraud detection system then compiles electronic assets" is an electronic asset that is uniquely 
a list of bad electronic wallets and posts the list to warn 45 issued for a single use and are then retired from circulation 
potential recipients that the bad electronic wallets have been after the one use. Unlike traditional cash, non-transferable 
previously used in a fraudulent manner. The list (which is electronic assets are not reused numerous times, 
also referred to as a "hot list" or "revocation is list") can be 'ITie electronic asset system 20 includes an issuer 22, a 
initially broadcast in its entirety to recipients and the elec- payer 24, and a recipient 26. In this most basic model, the 
tronic wallets themselves over a data communication 50 issuer 22 additionally functions as the collecting entity, 
network, such as a public network (e.g., the Internet) or a although they can be two separate entities. Assets flow in a 
wireless network (e.g., cellular phone and paging network). loop around the triangle as shown by the uni-directional 
The hot list of bad wallets is relatively short since it only arrows from issuer/coUector 22 to payer 24, to recipient 26, 
contains identities of bad_walleis_(and not individual^ bad and back to issuer/collector 22. All three entities are tamper- 
coins) and thelvv^letcertificates have ^ompaTatively^fio^ 55 resistant. Communication channels 28, 30, and 32 facilitate 
expirationlermsTWd h'ence can stored locally^ on ea^h communication among the three entities. The channels are 
wallet. Thereafter, the" fraud-detection-system^can. simply representative of many different types of connections, 
/^pdite these di^tribut~ed~lists"by3roadcasting pnlyjhe:^ including direct local connections or remote connections 
tiliesof those bad-wallets^which arcjojje addcdjaq^heTlist. over a communication network, such as a public network 
The entire Jist can-also be^oSedlo a central Iocation7(e!g., 60 (e g., the Internet, telephone, cable TV, etc.) or a wireless 
aVlntemel_,web-site)"SOUhaL a^ybody~can~access-^and network (e.g., cellular phone, paging network, satellite, etc.). 
do jnaload-itr^Whcn-a bad_wallet_o^ lhe"list"next"attempts^tcr^ 'ITiese channels are secoired using cryptography protocol. 
spend^assets-(whether_frauduiem]3rqr7^ More specifically, the communication between participants 
recipient will refuse to transact business with the bad waifet. can be accomplished using secure channel protocols as well 
/ITie architecture"lhal"enables creaijon~"shm"'horlists^^^ 65 as secure messaging protocols. 

localized stGragejs^generally-' applicable "to all public-key All entities initially register with a certifying authority 34. 

In some environmenLs, the issuer 22 and the certifying 
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authority 34 are the same entity. Alternatively, the register- the assets are non-transferable and used only once, the assets 

ing function is performed by a separate entity, which is a are retired and deemed exhausted upon their use. In this final 

trusted third party to both the issuer and the payer. The leg, the recipient 26 deposits the assets, represented by coin 

certifying authority 34 issues certificates that are later used 40, with the collector 22. The collector 22 may or may not 

by the parties in a transaction to verify the identity of each 5 be the same entity as the issuer, but is shown as the same for 

other. The role of certifying authority 34 is limited to the discussion purposes. The collector 22 stores all of the 

registration process and has no part of the payment trans- incoming electronic asseLs and archives them until expira- 

action after this initial registration process. tion. The recipient-collector leg is representative of a mer- 

The initial issuance of electronic assets, represented by chant (recipient 26) depositing receipts with a bank 

coin 36, occurs at the issuer-payer leg of the asset system 20. (collector 22) using a secure channel 32. Another example 

The issuer 22 issues non- transferable assets 36 to the payer might be a token machine (recipient 26) returning collected 

24. The non-transferable assets are digitally signed by the tokens to the public transit authority (collector 22), wherein 

issuer and may be dedicated to a particular user. The the connection 32 is a secure transfer medium such a 

electronic assets is also be issued with an expiration date portable memory device with the deposited assets encrypted 

which, upon elapse, renders the assets unusable in their thereon. 

present form. The electronic asset system 20 also has a fraud detection 

The payer 24 stores the electronic assets 36 on an elec- unit 42 to evaluate a sampled subset of the electronic assets 

tronic wallet for later use. The electronic wallet is preferably received by the recipient 26 to detect if any electronic assets 

a tamper-resistant device that is small and portable. The have been used in a fraudulent manner. ITie recipient for- 

electronic wallet has memory to store the assets and cryp- wards samples of the exhausted assets to the fi-aud detection 

tographic capabilities to store and manage public/private unit 42 on an ongoing basis. The sampling rate is controlled 

signing/encryption keys and certificates. The electronic wal- by the fraud detection unit 42 and varies in time and space 

let can be implemented as a portable device with its own to efiSciently target suspected fraud patterns. The fraud 

trusted display and keyboard, such as a hand held computer, detection unit compares the sampled assets to determine 

a personal digital assistant, or a laptop computer. Rudimen- ^5 whether there is a match between two or more electronic 

tary versions of the electronic wallet might also be imple- assets. Because each asset is presumed unique and used only 

menled as a smart card, a PC card (formerly known as a once, a match indicates that the same electronic asset has 

PCMCIA card), or other IC card. been double spent. 

The issuer-payer leg of the asset system represents many If fraudulent use is detected, the fraud detection unit 42 
different forms of transactions. For example, the issuer 22 3Q marks the electronic asset as "bad." Thereafter, the fraud 
might be a bank and the payer 24 might be an account holder detection unit 42 identifies the electronic wallet that spent 
who is withdrawing assets from his/her account. A bank the bad electronic asset. This identification is made exam- 
withdrawal transaction can be conducted over an online ining the signature of the wallet that is attached to the 
network connection 28, such as over a private banking exhausted asset. The fraud detection unit 42 compiles a list 
network connection (e.g., ATM — automatic teller machine), 35 44 of tainted or bad wallets. The list is initially distributed 
orover a public network connection (e.g., the Internet) using to the recipient 26 to warn of the bad wallets, and then 
commercial banking programs like Money from Microsoft updated as subsequent bad wallets are identified. If the 
Corporation. In another example, the issuer 22 might be a electronic assets were initially issued to a dedicated payer 24 
public transit authority, and the payer 24 might be a citizen who can be identified from the asset itself, the fraud detec- 
who purchases tokens to ride on the public transportation 40 tion unit 42 might further identify the payer 24 who spent the 
system. In this case, the issuer-payer connection 28 might be electronic asset. 

established at an off-line point-of-sale vending machine that xhe list 44 of bad wallets can be distributed from the fraud 

issues tokens to the user^s electronic transit card. detection unit 42 to the recipient 26 in a number of different 

The payment or payer-recipient leg of the asset system 20 ways. The list might be broadcast over a data communica- 

involvcs expenditure or use of the assets. Here, the payer 24 45 tions network (i.e., Internet, interactive television, 

spends or uses the assets, represented by coin 38, in some telephone, cable TV, etc.) or a wireless communications 

manner by transferring the assets to the recipient 26. network (e.g., cellular, paging, radio, etc.). The list might be 

Electronically, the transaction involves downloading the posted at a publicly accessible location, such as a web site, 

electronic assets from the payer's electronic wallet to a Alternatively, the list might be transported or mailed on a 

computing unit of the recipient. The payer 24 digitally signs 50 storage medium. Updates to the list are preferably broadcast 

the assets 38 before spending them. The recipient 26 verifies in real time to ensure that the recipient is kept cuirrent. 

the signatures of the issuer 22 and the payee 24 to ensure that 'Yh^ recipient 26 is now equipped with the list of bad 

they are valid (i.e., not expired or revoked), and that the wallets. When a criminal payer 24 subsequently attempts to 

assets themselves have not expired. If all is acceptable, the use a bad wallet found on the list, the recipient 26 will refuse 

recipient 26 accepts the assets as a valid payment and the 55 to transact business with the payer. In this manner, the payer 

assets are forever removed from the payer's wallet, 24 is prevented from fijrther promulgating fraud using the 

The payer-recipient leg of the asset system 20 is likewise bad wallet. Additionally, the list 44 can be stored on each 
representative of many different fonms of transactions. For electronic wallet. Because the list of wallets is relatively 
example, the payer 24 might be a consumer and the recipient small (as compared to a list of bad assets) and the wallets 
26 might be a merchant, with the purchase occurring over a 60 have short expiration terms (wallet expiration is synony- 
public network connection 30. In another example, the payer mous with wallet certification expiration), the list is suffi- 
24 might be a thirsty individual and the recipient 26 might ciently short to store on individual wallets as an account- 
be a beverage vending machine, with the communication ability measure. This aspect is described below in more 
link 30 being an off-line direct connection at the vending detail. Moreover, each wallet can perform routine cleanup 
machine. 65 processes to remove expired hot listed wallets. 'ITie archi- 

'Ilie deposit or recipient-collector leg of the asset system tecture that enables derivation and storage of short hot lists 

20 concerns recovery of the non-transferable asseLs. Because on individual wallets is applicable to all public key crypto- 
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systems and can be employed in other environments outside 
of electronic asset systems. 

Accordingly, the electronic asset system 20 employs an 
asset -level criteria to uncover fraudulent transactions, while 
accountability is at the wallet level. With random sampling, 
the fraud detection unit 42 only evaluates a tiny fraction of 
the exhausted assets. For example, the fraud detection unit 
might only examine one out of every 100 exhausted assets. 
This involves substantially less processing and storage 
resources in comparison to an online system which exam- 
ines the entire set of exhausted assets. As a result, the fraud 
detection unit requires less bandwidth, is fast and efiBcient 
with less sensitivity to delays, and can sound an early 
warning to prevent subsequent fraud. In the case of an 
anonymous system (described more fully below), the fraud 
detection unit eliminates the need for detection processes 
aimed at "after the fact" exposure of double spenders. 

Although the fraud detection unit 42 cannot detect all 
fraud, it has a statistically high probability of detecting 
fraud. For appropriate sampling rates, the detection prob- 
ability can be 95% or better. This probability is sufficient to 
prevent fraud because the criminal is highly likely to be 
detected before there is an opportunity to profit illegiti- 
mately from the fraud. 

For instance, suppose the payer 24 stores the electronic 
assets in a tamper- resistant electronic wallet. To successfully 
clone this electronic wallet, a criminal is expected to invest 
a rather large sum of money. If the bad wallet is used to 
spend low valued electronic assets, such as $1 coins or 
tokens, the criminal would need to successfully use the bad 
wallet many, many times before breaking even with the 
initial investment. The fraud detection unit 42, through 
appropriate sampling rates, is highly likely to uncover the 
fraudulent use of the bad wallet well before the criminal has 
used it enough times to break even. Accordingly, the statis- 
tical sampling technique is effective at deterring fraud 
because the criminal is highly unlikely of ever breaking even 
on the investment. 

While an asset-level criteria is used to uncover fraud, the 
electronic asset system 20 places accountability at the wallet 
level. Fraud is committed when the wallet is compromised. 
Accordingly, the hot list of bad wallets is used as a wallet - 
level criteria to root out bad wallets during their subsequent 
use. The list of bad wallets is sufficiently small to be given 
to all recipients 26. For example, assuming that wallets are 
configured with certificates that last for one year, a list of all 
bad wallets for the entire United States is anticipated to 
consume less than one gigabyte of memory. If the life span 
of the certificate registered to the electronic wallet is reduced 
to one month, a list of bad wallets is anticipated to consume 
no more than 10 megabytes. At this latter size, the list can 
be stored on each individual wallet. These local lists are 
useful to the recipient because it eliminates a need for online 
verification of each asset being received. The recipient can 
simply check whether the wallet is on the hot list of bad 
wallets before completing a transaction. 

The electronic asset system 20 is beneficial at reducing 
connectivity and online requirements, as well as the trans- 
actions costs typically associated with full online verifica- 
tion systems. For small transactions where the asset value is 
low (e.g., coins, tokens), continuous online connection to a 
banking or merchant system on a per transaction basis is too 
expensive. For instance, it is impractical to expect a bever- 
age vending machine to validate each beverage purchase 
over a network with a localized vending hub computer. Even 
if the transaction cost was sufficiently low, the real time 
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response delay would be too long and annoying to the 
consumer, who simply wants a beverage for 75 cents. 

With the early warning fraud detection unit, however, 
only a few samples are required, not every transaction. The 

5 samples can be provided over a limited online connectivity 
(e.g., via the Internet), or in the case of a standalone 
machine, in a periodic batch effort. Upon compilation of bad 
wallet lists, the fraud detection unit 42 can transmit updated 
lists in real time; or for the standalone machine, the list is 

30 updated upon routine collection rounds. The volume of 
online communication is a few orders of magnitude smaller 
than a full online system and involves reasonably tolerant 
response delays. 

FIG. 2 shows a more detailed example of an electronic 
asset system with fraud detection that is implemented in the 
context of a computerized electronic commerce system. The 
electronic asset system, referenced generally as number 50, 
includes a bank 52, multiple users 54, and a merchant 56. 
For purposes of discussion, the bank 52 performs the dual 

2° functions of issuing the non-transferable assets and collect- 
ing them after utilization. Generally, the electronic asset 
system 50 can be implemented as a "anonymous" system in 
which assets are not traceable to the party who received 
them, or a "non-anonymous" system in which assets arc 

2^ traceable to the certificate of the electronic wallet that spent 
them. 

The non-anonymous implementation is described first, 
with aspects of the anonymous implementation being 
described afterwards, 

30 

Non-Anonymous Electronic Asset System 

To begin the cycle, the user 54 seeks to withdraw elec- 
tronic assets in the form of electronic cash from the bank 52. 
In this context, assume that the bank 52 acts as a certifying 
authority. Initially, the user 54 requires certification of an 
electronic wallet before the wallet can be used to hold the 
electronic assets. 

The electronic wallet has a processor, a program memory 
(e.g., ROM or memory drive), volatile data memory (e.g., 
RAM or Flash), and a non-volatile data memory (EEPROM 
or memory drive). The electronic wallet can be implemented 
as a portable device with its own trusted display and 
keyboard, such as a hand held computer, a personal digital 

^5 assistant, or a laptop computer. Rudimentary versions of the 
electronic wallet might also be implemented as a smart card, 
a PC card (formerly known as a PCMCIA card), or other IC 
card. The entire electronic wallet, including processors, 
memory, display, and keyboard are tamper-resistant. 

50 FIG. 3 shows the certification process in more detail. The 
electronic wallet 58 is manufactured with initial pairs of 
public and private keys and a corresponding certificate that 
is registered with the certifying authority (or the bank, in this 
example). A certificate is a linkage of a public key and a user 

55 identification, which is signed by the certifying authority. (In 
the anonymous system described below, the user identifica- 
tion is omitted from the certificate.) The initial 
manufacturer-issued certificate is provided as assurance that 
the user has a tamper-resistant device. The initial certificate 

60 uses a very short expiration term, and the user is expected to 
re -certify shortly after getting the electronic wallet. 

During certification, a user's electronic wallet 58 is con- 
nected to the bank's computer 62. This connection can be 
achieved, for example, using a direct connection, or alter- 

65 natively over a public network (e.g., the Internet). 

llie electronic wallet 58 has a cryptographic program 
stored in the program memory that directs the processor to 
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performcryptographicfunctions, such as key generation and transmission and then destroyed. Another method is to 

management, encryption, decryption, signing, and verifica- establish a secure channel between the electronic wallet and 

tion. During certification, the electronic wallet 58 generates bank's computer, whereby the same encryption key is used 

a unique pair of public and private cryptographic signing for many messages. Some precautions are taken when 

keys, and submits the key pair along with user identification 5 reusing the same key, but such precautions are standard and 

to the bank's computer 62. The initial certificate stored by known in the art. 

the manufacturer is also submitted and used to create the „,su .u a u 1 * ui- l j *u 

u I f *u 4^ f ^ ' *• -ru « i With the secured channel 68 estabhshed, the user 54 

secure channel for this first communication. The materials , r , • .0 t 

are forwarded in a packet 64. withdrawal of electronic cash. Suppose the user 

T, , , , . • 1 . J wants to withdraw $100 in units of $1 coins. The bank s 

The banks computer 62 examines the packet 64 and m » u ■ • c* *■ .u u- i_ 

' t c , • A f-c * * r . computer has coin issumg software executing thereon which 

compares the initial manufacturer-issued certificate to a list ,.|. . . * * f /• 

c ■ 1 ^ c . . . 11 . • - utilizes a random number generator to create a nonce (i.e., 

of initial certificates to ensure that the wallet is a tamper- r u.- ^ca ^ \ *«• c u . f 

. j..uu.i-*fi-j 11*. a fresh strmg of data) representative of each non-transferable 

resistant device, and to the hot list of bad wallets to ensure --ruui* **u t u j 

»u 11 4 • * u A u * xc.u -.c * u 1 * coin. The bank s computer then attaches a serial number and 

that the wallet IS not a bad wallet. If the certificate checks out . j . t-u *■ ^ * . • • u* u rrr^^^-. 

, ^ .i_ -J r an expiration date. The entire data string might be 550 bits 

cleanly, the bank's computer confirms the identity of the , " w uAc^c^w ^ a cnu * . • ■ 

, ,u A * c *• ^ • ■'^ long, in which 400 bits are random, 50 bits constitute a serial 

user. If the user is present, the identification confirmation is K cn u * * • a , 1 cnu*. 

c . . , , , . ■ , number, 50 bits constitute an expiration date, and 50 bits a re 

performed using traditional methods, such as driver s . ' p ™^ uif^ ttc;„„ « f .u u 1 . 

f. - , ir.L * . .J a string 01 zero bits. Using a hashing function, the bank s 

hcense finger pr.nte. and so on. f the user is no present and ^ cryptographic digest or "hash" of 

the certification is handled remotely the bank rehes on other ^^^^ function is a mathematical function 

evidence such as a phone number, address, mother s maiden nn *u . . • * j * * • . n j • c. 

J V 11 • c y CL L that converts an input data stream into a fixed-size, often 

name, and so on. FoUowine successful confirmation, the „ . . j . . .u * • . c.J - 

. * r-i J- 11 • *u 1 A smaller, output data stream that IS representative of the input 

bank s computer 62 digitally signs the packet to produce a j ^ / -r-t. i_ 1 » * ^-1 • j . 

•c . /-V^ A • J 7 • u J . _.vc aata stream. The bank s computer 62 is programmed to 

certificate 66. An expiration date is attached to the certifi- j n *u * w a- . i.\ u 

cate. nie certificate I returned to the electronic waUet 58. cryptographic digest (hash) by opera mg 

, ^ ^ ^ , ... With the bank s private sigmng key for the SI denomination 

With reference again to FIG. 2, the user mitiates the 25 to create a $1 coin. The bank's computer employs a different 

Withdrawal transaction by estab ishmg a secure communi- ^ ^eys for each denomination. Accordingly, a 

cation channel 68 between the electronic wallet 58 and the 5^ ^. -j^j ^^-^^ ^^^^j^^ ^ f^u^^g. 
bank's computer 62. This is done through an exchange of 

certificates, whereby the electronic wallet 58 can verify the ^x.a^ign.p.Lbanki^'^^^^^)'^'^ Coin 

authentidty of the bank's computer 62 (and software oper- 30 where "S^^i si^npntar.," is a signing function using the 

ating thereon) by virtue of the bank's certificate; and bank's private Si signing key. 

conversely, the bank's computer can verify the authenticity 7Q downloaded to the user's electronic 

of the electronic wallet from the wallet's certificate, ^^llet 58 over the secure communication channel 68. The 

The verification process entails an examination of the bank debits the user's account for the amount of money 

digital signature attached to the certificate. For instance, to 35 withdrawn. The coins are stored in the electronic waUet 58. 

authenticate the electronic wallet 58, the bank's computer 62 The user is free to carry the electronic wallet and use it 

evaluates the digital signature to determine if it is a recog- wherever he/she wishes. 

nized signature of a trusted certifying authority. In this case. Suppose the user 54 desires to buy a $1 item or service 

the digital signature on the wallet's certificate happens to be from merchant 56. The user initiates communication with 

the bank's own signature. The electronic wallet 58 verifies 40 the merchant and establishes a secure communication chan- 

the certificate received from the bank and authenticates the nel 72 in the manner described above. Upon purchase, the 

signature on the bank's certificate to ensure that the certifi- user's electronic waUet 58 digitally signs a $1 coin with its 

cate is from the bank. private signing key, as follows: 

Once the initial verification process is completed, the (t \_ 

communicaUon between the electronic wallet 58 and the 45 ^KM,..prL^aiu, ($1 Coin)-Profifered $1 Com 

bank's computer 62 is protected using public key cryptog- where ^*Sj^,sign.pri.waUet' is a signing function using the 

raphy. A symmetric "session" key is generated by the user's wallet's private signing key. 

electronic wallet 58 and used to encrypt data being trans- The signed coin 74 is tendered to the merchant 56. The 

ferred to the bank's computer. This session key is then merchant's computer 76 runs software which evaluates the 

encrypted using a public exchange key of the bank (which 50 proffered coin by checking the signatures of both the bank 

was received in the bank's certificate). The user's electronic and the electronic wallet. The wallet signature is checked 

wallet 58 signs the encrypted message with its own private against a local list of bad wallets to ensure that the wallet is 

signing key The encrypted and signed message, along with not bad. Finally, the coin itself is evaluated to ensure that it 

the encrypted session key, are sent to the bank, TTie bank's has not expired. If the evaluation yields positive affirmation, 

computer 62 decrypts the session key using its own private 55 the merchant's computer 76 accepts the coin 74 in exchange 

exchange key and then decrypts the message using the for the purchased item or service, 

session key. The bank's computer 62 will further verify the Periodically, the merchant 56 batch deposits all of the 

signature using the wallet's public signing key (which was received coins to the bank 52. Typically, the merchant's 

received in the wallet's certificate) to verify that the message bank is different than the user's bank but, for discussion 

did come from the user's electronic wallet and was not 60 purposes, the issuing bank is also the collecting bank. To 

subsequently altered. With public key cryptography, the deposit the received coins, the merchant's computer 76 

communication is therefore securely exchanged over an establishes a secure communication channel 76 with the 

otherwise unsecure medium (such as the Internet) by bank's computer 62. The spent coins 80 are then down- 

encrypting messages that eavesdroppers are free to intercept, loaded over the secure channel 76 to the bank's computer 

but unable to decrypt into meaningful information. 'ITiis 65 62. 

method of securing communication is known as "secure 'llie spent coins are considered to be exhausted following 

messaging" in which individual keys are used for each their single use. The bank stores all of the exhausted coins 
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in a large database 82. To store all of the exhausted coins 
issued by an individual bank, the exhausted coin database 82 
is expected to be at least ten gigabytes, and can be twenty or 
more gigabytes. 

The bank's computer can then, if desired, perform a 
comprehensive fraud evaluation check to determine if any of 
the coins in the huge database 82 has been double spent. 
However, this deterministic "after the fact" process is a large 
task, requiring substantial processing capabilities. The bank 
may forego such deterministic evaluation in favor of only 
performing the statistical evaluation, described below. 

The merchant's computer 56 also submits a sample of the 
received coins, represented by coin 84, over a secure chan- 
nel 86 to a fraud detection center (FDC) 90. The sample is 
a small fraction, but statistical representative, of the large 
number of coins being deposited in the bank. 

The fraud detection center 90 has a computer 92 which is 
programmed to perform the steps shown in FIG, 4. The 
computer 92 receives the sampled coins 84 from the mer- 
chant computer 76 and stores them in a sample database 94 
(step 150 in FIG. 4). The FDC computer 92 is programmed 
to evaluate the exhausted coins in the sample database 94 to 
detect if any of them have been used in a fraudulent manner 
(step 152 in FIG. 4). In particular, a software program 
executing on the FDC computer 92 performs a comparison 
analysis in which the exhausted coins are compared to one 
another to see if any of them match (step 154 in FIG. 4). This 
comparison can be performed as each newly exhausted asset 
is received. A match occurs when, after the signatures are 
stripped away, the random bit portions of two or more coins 
arc identical. If no match is found (i.e., the "no" branch from 
step 154), the analysis is completed for that cycle. 
Conversely, if a match is found (i.e., the "yes" branch from 
step 154), the computer program marks the duplicated coins 
as "bad" coins (step 156). 

The FDC computer 92 then uses the signature attached to 
the bad coins to identify the certificate issued to the elec- 
tronic wallet that spent them (step 158 in FIG. 4). The 
suspect wallet is then labeled as being a "bad" wallet (step 
160 in FIG. 4). It is noted that the software running on the 
FDC computer 92, as well as the software executing on the 
bank and merchant computers, are loaded from computer- 
readable memory (e.g., a floppy disk, optical disk, or hard 
disk) and executed by processing units in the computers. 

The coin analysis might reveal multiple bad wallets. 
Accordingly, the FDC computer 92 compiles a list in an 
electronically readable data structure that contains all of the 
bad wallets (step 162 in FIG. 4), or more specifically, all of 
the certificates of the bad wallets. As the list 96 is updated, 
the updates are broadcast in real time over a wireless 
network, as represented by RF tower 98, or a wire-based 
network, as represented by a public data communication 
network (i.e., the Internet) 100, to the electronic wallets 58 
and to the merchant's computer 76 (step 164). Other types 
of distribution networks may also be used, such as cable TV 
or interactive television systems, cellular phone and paging 
networks, and telephone lines. Additionally, the entire list 96 
can also be posted at a publicly accessible location for 
anybody to access and download, such as an Internet web 
site. The distributed local hot lists provide the merchant 56 
with ready, on-the-spot identification of bad wallets. The list 
is also sent to the bank 52 via a secure communication 
channel 102. 

With the local hot list of bad wallets, the merchant 
computer 76 can evaluate all signatures on subsequently 
tendered coins to determine whether they are from a bad 
wallet. If so, the merchant computer 76 will refuse the 
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transaction and cease communication with the bad wallet. 
Additionally, law-enforcement agencies can masquerade as 
merchants to perform sting operations aimed at ferreting out 
bad wallets. 

5 The bank 52 may continue to perform deterministic 
evaluation all coins stored in the exhausted asset database 82 
to absolutely detect fraud. In this case, the fraud detection 
center functions as an early warning system that operates 
quickly to detect fraud from the small sample and warn 

30 others of bad wallets. This early warning detection supple- 
ments the banks deterministic evaluation. On the other hand, 
the bank may decide that the probabilistic evaluation per- 
formed by the fraud detection center is satisfactory and 
eliminate the database 82 altogether. 

15 Each electronic wallet 58, inclusive of the bad wallets, 
must periodically renew their certification before the expi- 
ration date of the certificate. Example expiration terms can 
be one month to one year. The renewal process is similar to 
the original certification process explained above with 

20 respect of FIG. 3, but further includes the electronic wallet's 
obligation to submit the old certificate with public and 
private keys. The certifying authority (or bank in this case), 
examines the old certificate in view of the hot list of bad 
wallets. If listed, the bank refuses the transaction, and might 

25 even be able to identify the user 54. Conversely, if the old 
certificate is clean, the bank issues a new certificate for a 
new expiration term. 

A shorter expiration term requires that the electronic 
wallet be re -certified more regularly. This, in turn, exposes 

30 bad wallets more often, before they can promulgate fraud to 
any large extent. Conversely, too short of term might be 
administratively bothersome because the user is continu- 
ously updating the wallet's certificates. Accordingly, expi- 
ration terms arc set according to the environment of use, 

35 while taking into consideration these competing goals. 

The combination of compiling lists of wallet certificates 
(and not coins) and using relatively short expiration terms, 
the hot list of bad wallets can be kept fairly short. In this 
manner, the list can be conveniently stored on the walleLs 

40 themselves, which often have memory capacity limitations. 
The wallets can perform routine cleanup procedures to 
remove wallets with expired certificates from the hot list to 
maintain a short list. The compilation of short hot lists of 
revoked certificates which can be easily stored on portable 

45 electronic devices can be generally extended to other public 
key cryptosystems besides electronic commerce and asset 
systems. 

Anonymous Electronic Asset System 

50 The anonymous electronic asset system differs from the 
above described non-anonymous system in two notable 
ways. First, the certificates issued to the electronic wallets 
are blindly signed by the certifying authority (or bank, in this 
example) so that the identity of the wallet is not known to the 

55 certifying authority. Second, the coins are blindly signed by 
the bank so that the identity of the deposited coin, and the 
payer's wallet are not known to the bank. A "blind signa- 
ture" is the electric kin of signing an envelop containing a 
document and a carbon copy. ITie signature is pressed 

60 through the envelop and appears on the document, but the 
signer has no idea what it is signing. Only the recipient can 
extract the signed message from the envelop. Blind signa- 
tures are described in greater detail in the Schneier book 
identified at the beginning of Detailed Description Section. 

65 In the non-anonymous system, the bank knew the identity 
of the user when the user withdrew money. During 
re -certification, the user is given a new certificate with a new 
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expiration period, but carrying the same old public key. Each 
valid user has only one certificate at any one time. To move 
away from a non-anonymous system, the payer*s identity 
must be hidden from the bank. However, even if the bank 
blindly signed issued coins, the bank would still eventually 5 
see the spent assets and identify the certificate via the 
attached signature. One approach is to employ a combina- 
tion of blinded signatures and separate keys for withdrawal 
and payment. In this manner, the bank cannot associate 
withdrawal with payment. However, there is a possibility lO 
that a detectable pattern might emerge based upon use of the 
payment key pair, which effectively exposes the user's 
identity. 

Accordingly, to ensure true anonymity, the electronic 
asset system 50 enables the user 54 to break at will any ^5 
linkability between withdrawal and payment, and between 
different payments, so that the transactions cannot be traced 
to the user. Breaking linkabiUty is provided through the 
issuance of payment certificate(s) and separate withdrawal 
certificate(s) and the ability for the electronic wallet to ^0 
change its payment certificate anonymously whenever the 
user 54 decides. None of the payment certificates are link- 
able to each other, nor to the withdrawal certificates. In this 
manner, the user can withdraw coins using one wallet 
certificate and identification, and then pay with another 25 
wallet certificate which can be changed at will. 

FIG. 5 shows a blind re -certification process in more 
detail. For this illustration, suppose that the electronic wallet 
58 has already received its initial payment certificate from 
the bank's computer 62 as described above with reference to 
FIG. 3. Now, the user desires to change the identity of the 
electronic wallet by refreshing the payment certificate. The 
user's electronic wallet 58 connects to the bank's computer 
62 and establishes a secure channel using the present pair of 
keys. The electronic wallet 58 sends its present payment "'^ 
certificate 66, along with a new pair of public and private 
cryptographic signing keys and a new expiration date 
enclosed in an "envelop" 110. Suppose M represents the 
message contents to be sent to the bank, and the electronic 
wallet 58 has an RSA public key (e, N). Putting M in the 
"envelop" 110 means creating (X*M mod N), where x is a 
secret value known only by the wallet. The new expiration 
date has a relatively short expiration term (e.g., one month). 

The bank's computer 62 evaluates the present payment 
certificate 66, namely the public signing key contained 
therein, to ensure that it is valid and not revoked or 
exhausted. If valid, the bank's computer 62 agrees to blindly 
sign the envelop 110 by raising the value (X'M mod N) to 
the power of d mod N to produce a result (xM** mod N). The 
bank's computer then returns the blindly signed payment 
certificate 112 to the electronic wallet 58. The electronic 
wallet is the only entity to know the secret x and thus, 
divides by x to "open the envelop" and obtain the unblinded 
signature (M^ mod N). 

The bank is unable to verify the correctness of the new 
expiration date. However, this expiration date is eventually 
revealed to the merchant 56 when the electronic wallet 58 is 
used. If the expiration date exceeds the appropriate term (say 
more than one month), the merchant reports the wallet 58 to 50 
the fraud detection center 90 which lists the wallet as bad 
and revokes its public key. Accordingly, the electronic wallet 
58 cannot cheat by asking the bank to blindly sign a long or 
certificate. 

Hie withdrawal cerlificate(s) can be anonymous or non- 65 
anonymous. An anonymous certificate is appropriate when 
exchanging ordinary cash for electronic cash, or when 
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exchanging old electronic cash for new electronic cash. An 
anonymous withdrawal certificate is refreshed using the 
blind approach described above with respect to FIG. 5. A 
non- anonymous withdrawal certificate is used when depos- 
iting assets, and can be refreshed using the non -anonymous 
approach described above with respect to FIG. 3. 

With reference to FIG. 2, the electronic wallet 58 estab- 
lishes a secure channel 68 with the bank's computer 62 and 
submits candidate coins and specifies their desired value and 
expiration dates. The bank assigns the value by choosing a 
signature exponent corresponding to that value. In the case 
of withdrawal, the authorized value equals the desired value 
if the user has sufficient finding in his/her account. ITie 
bank's computer blindly signs the coins and return them to 
the electronic wallet 58. If unused before the expiration date, 
the unexpired coin is refreshed by submitting it in exchange 
for a new coin of equal value with a new expiration date. 

In the anonymous system, the fraud detection center 90 is 
still able to detect fraudulently used coins by examining for 
duplication. From the bad coins, the fraud detection center 
90 can determine which wallet spent the coin using the 
signature attached to the spent coin. This bad wallet can then 
be added to the list that is broadcast to all wallets and to the 
merchant 56. 

The anonymous system has one potential weakness for 
attack. A pirate could multispend the same coin and there- 
after re -certify the electronic wallet to change its identity 
before the current wallet is listed as bad and the current 
signing key is revoked. To prevent this scenario, the anony- 
mous electronic asset system 50 stipulates two rules: (1) 
every recipient deposits all received coins on a routine basis 
(e.g., daily), and (2) requests for new certificates are handled 
anytime before and during the dead time interval, however, 
new certificates are only issued after the lime interval has 
elapsed. 

This second rule is implemented by first defining a dead 
time interval. The specific time interval can be scheduled 
during low traflSc times, such as at midnight. Before this 
dead time interval, the bank handles all transactions for the 
day and allows all batch deposits to clear. Requests for new 
certificates can likewise come anytime before the dead time 
interval. During the interval, however, no more deposits or 
requests are permitted and all new certificate requests are 
postponed until after the interval is completed. ITie length of 
the dead time interval is such that even if all deposits and 
requests come at the last available second, all processing can 
terminate during the interval. After the dead time interval, 
the new certificates are sent and the bank's computer begins 
processing new deposits and certificate requests. In this 
manner, the bank's computer is not re-certifying bad wallets 
until the bank has processed all coins and deterministically 
detected any bad wallets. This ensures detection of bad 
wallets before they are re-certified. 

The dead time interval is expected to be less than one 
minute. Suppose that 25 million people in United States use 
electronic wallets, while banking at one thousand different 
banks. This averages to twenty-five thousand users per bank. 
Next, suppose that each user deposits 40 coins per day. At 
this rate, each bank must verify one million signatures per 
day. A present-day DSP (digital signal processing) chip can 
perform approximately 50 thousand 500-bit Rabin verifica- 
tions per second. So, one DSP chip can verify one million 
signauires in 20 seconds (1 ,000,000/50,000-20). This time 
can be shortened by running multiple DSP chips in parallel. 

Another potential scenario concerns a pirate who discov- 
ers that the same merchant deposits coins daily at 3:00 PM. 
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The pirate thus double spends coins beginning at 4:00 PM The fraud detection and early warning system thus uses a 

and later requests a new certification of his wallet before small sampling of the transactions to detect fraud and 

midnight. This process is repeated daily. This scenario eliminate it before the criminal can make good on his/her 

would not permit the pirate to profit for long, however, initial cloning investment. The sampling process requires 

because the fraud detection center 90 would detect the 5 tremendously less resources to operate and maintain in 

activity and end it before the pirate could break even. While comparison to a full online deterministic fraud detection 

the wallet can change identity, the coins themselves cannot. system. With appropriate sampling parameters, the fraud 

Accordingly, there is no need to catch a wallet before it detection system can sniff out fraudulent activity with high 

changes its identity, just eventually before the pirate can probability (i.e., 95% or better). The banks may decide to 

break even with the initial investment of cloning the wallet currently perform massive evaluation of all coins that are 

in the first place. exhausted to absolutely detect fraud. However, this requires 

The certification guidelines for both the anonymous and substantial storage and processing cost, as well as mainte- 

non-anonymous systems are summarized below: nance expenses. The banks may thus conclude that proba- 

1 . Each electronic wallet is bom with a pair of public/private bilistic fraud detection is satisfactory and eliminate storage 
keys, and a corresponding certificate, which are known of exhausted coins. 

and l^ted by a certification authority (CA). This is tme .^ove disclosure cemered on an electronic asset 

both for anonymous and non-anonymous systems. ^ Hov^cvct, it is noted that aspects of this invention 

2. For non-anonymous systems at expiration, each user gets . . n • ui - 1 * u 

i,-^ ^ ^-c u- I • ij .u can be used generally in a public key cryptography system, 

automatically a new certification, which mcludes the , * / ^ . / /\ ^ ^ ^ 

same old public key with a new expiration (unless the user general case, electronic devices are assigned 

asks to replace the public key for fear that it has been 20 certificates with pubhc and private key pairs, fhe devices 

exposed). At each moment, each valid user has exactly t^^" ^"g^S^ »" transactions according to a set of prescribed 

one certificate which typically mvolves digital signing using the 

3. For anonymous system, at each moment, each valid user pnvate signing key. 

has exactly one valid payment certificate and one valid ^ sample and detection system samples certain transac- 

withdrawal certificate. These certificates are distinguish- 25 evaluates whether the transactions comply with the 

able. rules. For instance, the detection system might detect which 

The payment certificate is issued using the blind certifi- non-transferable items are used twice, or are used following 

cate technique of FIG. 5. A user replaces the initial expiration, or violate other detection criteria. Once detected, 

certificate with an anonymous payment certificate. The the detection system uses the digital signature to identify the 

initial certificate has a very short expiration, and then 30 corresponding certificate of the electronic device. This cer- 

periodically, or as needed (but not exceeding an upper tificate is then marked as revoked. The detection system 

bound on expiration) uses the blinded certificate pro- generates a list of revoked certificates which are stored 

tocol to refresh it. The blinded certificate protocol is locally on the electronic devices. These local lists are then 

done with new fresh public keys. used to prevent further perpetuation of non-compliance with 

The withdrawal certificate may be issued anonymously, in 35 ^he rules. 

which case this is done the same way as with payment 1° compliance with the statute, the invention has been 

certificate. Alternatively, it might be issued non- described in language more or less specific as to structure 

anonymously, in which case the procedure of (2) is and method features. It is to be understood, however, that the 

used. The former is used when exchanging ordinary invention is not limited to the specific features described, 

cash for e-cash, or when exchanging old e-cash (that 40 since the means herein disclosed comprise exemplary forms 

the user received as payee) for fresh e-cash. The later of putting the invention into effect. The invention is, 

is used when depositing. therefore, claimed in any of its forms or modifications within 

In the case of anonymous system, none of the payment P^^^P^^ ^^P^ appended claims appropriately 

certificates are linkable to each other nor to the with- interpreted in accordance with the doctrine of equivalents 

drawal certificates, and the two kinds of withdrawal 45 ^nd other applicable judicial doctrines, 

certificates are not linkable to each other. ' claim: 

It can be statistically shown that for cloning costs of ^ - ^" electronic a.sset system comprising: 

$10,000 per wallet, a sampling rate of one in one hundred a plurality of electronic wallets; 

transactions will detect forgeries with probability close to a plurality of non-transferable electronic assets stored on 

one on break -even. The sampling approach is advantageous 50 the electronic wallets, the electronic assets being 

in that it does not depend on whether fraud is committed in removed from the wallets when used and marked as 

large quantities in a short time period, or in a trickle over a exhausted assets; and 

long time period. The sampling rate is a constant factor of a probabilistic fraud detection system to sample a subset 

the break even cost to the pirate. A sampling rate can always of less than all of the exhausted assets to detect bad 

be set to a conservative estimate of the cost required to clone 55 assets that have been used in a fraudulent manner, the 

a wallet. These costs vary over time due to technology fraud detection system further identifying the elec- 

advances and thus the sampling rates are modifiable to tronic wallets that used the bad assets, 

compensate for these cost variations. Additionally, as time 2. An electronic asset system as recited in claim 1 wherein 

goes on, cloning costs are amortized over more wallets, the electronic wallets are tamper-resistant, 

thereby reducing cost per wallet. The sampling rale is 60 3. An electronic asset system as r ecited in claim 1 wherein 

increased to maintain constant detection probability, until the electronic^wallct s'al^smar rc ards progra mmed to stoy 

the rate is too high and new tamper-resistant technology is tfie^electromc^lSet?* " ~~ — 

deployed. Although the average sampling rate depends only 47Airelectronic asset system as recited in claim 1 wherein 

on breaking cost of a wallet, it may be needed to react to the fraud detection system compiles a list of the identified 

"bursty" attacks using bursty sampling strategy. Otherwise 65 electronic wallets. 

the adversary may be able to exceed break-even (because 5. An electronic asset system as recited in claim 4 wherein 

detection will happen too late). the fraud detection system distributes the list of the identi- 
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fied electronic wallets to warn that the identified electronic 
wallets have been used in a fraudulent manner 

6. An electronic asset system as recited in claim 4 wherein 
the list of the identified electronic wallets is stored on the 
electronic wallets. 5 

7. An electronic asset system as recited in claim 1 wherein 
the fraud detection system compares a newly exhausted 
asset to the exhausted assets in the sampled subset to 
determine whether there is a match, the match being indica- 
tive of fraudulent use. 10 

8. An electronic asset system as recited in claim 1 
wherein: 

the electronic wallcts-are-associated_with.particular-users* 

*4nd^reitraceal3e5ito3to 
the fraud detection system further identifies the users 

associated with the identified wallets that used the bad 

assets. 

9. An electronic asset system as recited in claim 1 wherein 
the electronic walleLs are issued with temporary certificates 
that expire on an expiration date. 

10. An early detection and warning system for detecting 
fraudulent transactions involving non-transferable elec- 
tronic assets, individual electronic assets being transferred 
from an electronic wallet during a transaction and then 
exhausted following use in the transaction, the early dctec- 
tion and warning system comprising: 

a sample database; and 

a computer programmed to perform the following steps: 

store a sample of less than all of the exhausted elec- 
tronic assets in the sample database; 

evaluate the exhausted electronic assets stored in the 
sample database; 

mark an exhausted electronic asset as a bad electronic 
asset in an event that the exhausted electronic asset 
matches another of the exhausted electronic assets 
stored in the sample database; and 

identify an electronic wallet from which the bad elec- 
tronic asset was transferred as a bad wallet. 

11. An early detection and warning system as recited in 
claim 10 wherein the computer is further programmed to 
compare a newly exhausted electronic asset with the 
exhausted electronic assets stored in the sample database to 
discover a match. 

12. An early detection and warning system as recited in 
claim 10 wherein the computer is further programmed to 
compile a list of bad wallets. 

13. An early detection and warning system as recited in 
claim 10 further comprising a network connection to an 
electronic data network, the computer being further pro- 
grammed to transmit an identity of the bad wallet via the 
network connection over the electronic data network. 

14. An early detection and warning system as recited in 
claim 10 further comprising a transmitter to broadcast an 
identity of the bad wallet over a wireless communication 
network. 

15. An electronic fraud detection system for detecting 
fraudulent transactions involving electronic assets, the elec- 
tronic fraud detection system comprising: 

an asset issuing unit to issue non-transferable electronic 
assets to asset holders; 

a recipient unit to receive the electronic assets that are 
used by the asset holders; and 

a fraud sampling unit to evaluate a sampled subset of less 
than all of the electronic assets received by the recipient 65 
unit to detect if the electronic assets have been used in 
a fraudulent manner, and in an event of detection, the 
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fraud sampling unit identifying the asset holders 
responsible for fraudulent use of the electronic assets. 

16. An electronic fraud detection system as recited in 
claim 15 wherein the asset holders comprise portable elec- 
tronic wallets which store the electronic assets. 

17. An electronic fraud detection system as recited in 
claim 15 wherein the asset holders comprise computer 
memories. 

18. An electronic fraud detection system as recited in 
claim 15 wherein the fraud sampling unit compiles a list of 
the asset holders that are identified as being responsible for 
fraudulent use of the electronic assets. 

19. An electronic fraud detection system as recited in 
claim 18 wherein the fraud sampling unit distributes the list 
of the asset holders to wam that the asset holders have used 
electronic assets in a fraudulent manner. 

20. An electronic fraud detection system as recited in 
claim 15 wherein the fraud sampling unit compares a newly 
exhausted electronic asset to the exhausted assets in the 
sampled subset to determine whether there is a match, the 
match being indicative of fraudulent use. 

21. An electronic fraud detection system as recited in 
claim 15 wherein: 

the asset holders are associated with particular users and 

are traceable to those users; and 
the fraud sampling unit identifies the users associated with 

the asset holders that are identified as responsible for 

fraudulent use of the electronic assets. 

22. An electronic fraud detection system as recited in 
claim 15 wherein: 

the asset holders are configured to expire on an expiration 
date; and 

to continue operation after the expiration data, the asset 
holders are issued a new expiration date by the asset 
issuing unit. 

23. An electronic fraud detection system as recited in 
claim 22 wherein the asset issuing unit issues the new 
expiration data for the asset holders during a time period in 
which the asset issuing unit is not issuing electronic assets. 

24. An electronic asset system comprising: 

an asset issuing unit to issue non-transferable electronic 
assets, the electronic assets being digitally signed by 
the asset issuing unit; 

a plurality of asset holders to store the signed electronic 
assets, each asset holder having an identification cer- 
tificate containing a cryptographic signing key, the 
certificate being digitally signed by a certifying author- 
ity; 

the asset holders being configured to digitally sign the 
electronic assets when used with their corresponding 
signing keys; 

a recipient unit to receive the electronic assets used by the 
asset holders, the recipient unit being configured to 
verify the signatures of the asset holders that used the 
electronic assets and the asset issuing unit and to accept 
the electronic assets upon verification of the signatures; 

a fraud sampling unit to evaluate a sampled subset of less 
than all of the electronic assets received by the recipient 
unit to detect if the electronic assets have been used in 
a fraudulent manner, and in an event of detection, the 
fraud sampling unit using the asset holders' signatures 
on the fraudulently used electronic assets to identify 
bad asset holders that are responsible for the fraudulent 
use from among said plurality of asset holders; and 

the fraud sampling unit being configured to compile a list 
of the bad asset holders and to provide the list for 
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Storage on said plurality of the asset holders to prevent 34. A method as recited in claim 33 further comprising the 

further use of electronic assets stored on the bad asset following steps: 

holders. digitally signing the electronic assets with a first signature 

25. An electronic asset system as recited in claim 24 durinc said issuing steo- 
wherein the asset holders comprise portable electronic wal- 5 ^ fe P» 

lets which store the electronic assets. digitally signing the electronic assets with a signature of 

26. An electronic asset system as recited in claim 24 the corresponding electronic wallet during said spend- 
wherein the asset holders comprise computer memories. ing step; and 

27. An electronic asset system as recited in claim 24 1 • . r 
wherein the fraud sampling unit broadcasts the list of the bad evaluating, at the recipient, both signatures before receiv- 
assets holders over a data communications network selected 10 tne electronic assets. 

from a group comprising a wire-based public network, a 35. A method as recited in claim 33 wherein the detecting 

cable-based entertainment network, and a wireless commu- step comprises the following steps: 

nications network. comparing a newly spent electronic asset to the sample of 

28. An electronic asset system as recited in claim 24 spent electronic assets; and 
wherein' 

. * . J J * f 1 * J marking the newly spent electronic asset as a bad elec- 

each certificate issued on an issue date for a selected time ^ ° , *uriv. 1 .i.- 

period, the certificate being configured to expire on an "P°" f "}'^''^ °^ newly spent eleclron.c 

expiration date following the selected time period after , ^"'^ °^ '^^ ^P«"' electronic assets in the 

the issue date; and sample, 

the asset holders are updated with new certificates prior to fo^^^f ^"""^ '=°'"P'*^'°8 

the expiration date of the certificates, each new certifi- . . .„ 

cate containing a new cryptographic signing key and assignmg certificates to corresponding ones of the elec- 

being digitally signed by the certifying authority. ^^^^^^ ^^1^^*^' certificates having an expiration date 

29. An electronic asset system as recited in claim 24 ^^^^^^^P"" expiration, the electronic walleLs are pro- 
wherein the asset issuing unit blindly signs the electronic ^5 ^'^'^^"^ ^'"""^ spending the electronic assets stored 
assets to render them non-traceable. thereon; and 

30. An electronic asset system as recited in claim 24 updating the certificates before the expiration date, 
wherein the asset issuing unit is the certifying authority that 37. A method as recited in claim 36 further comprising the 
digitally signs the certificates for the asset holders. additional step of ceasing to issue electronic assets or 

31. A system comprising: certificates during a time period in which the certificates are 
a plurality of electronic devices having corresponding updated. 

certificates issued thereto, the certificates including a 38. A computer-implemented method for detecting 

pair of public and private signing keys; fraudulent transactions involving non-transferable elec- 

individual electronic devices being configured to perform ^^onic assets used by electronic wallets, the electronic assets 

one or more transactions which involve digitally sign- *^,^»"g considered as exhausted electronic assets upon use, 

ing data using the private signing key; computer-implemented method comprising the follow- 

a sample and detection system to sample a subset of less steps. , - , , „ ^ . 

than all transactions to determine whether the elec- extracting a sample of less than all of the exhausted 

tronic devices are complying with a preset criteria, and ^ ectromc assets, 

in the event of non-compliance, the sample and detec- evaluating the sample of exhausted electronic assets; 

tion system using the digitally signed data involved in marking an exhausted electronic asset as a bad electronic 

the transactions to identify the non-complying elec- asset when the exhausted electronic asset matches 

tronic devices; and another of the exhausted electronic assets in the 

the sample and detection system generating a list of sample; 

certificates which correspond to the non-complying identifying an electronic wallet from which the bad elec- 

electronic devices and are to be revoked to prevent the tronic asset was spent as a bad electnDnic wallet; and 

non-complying electronic devices from entering into compiHng a list of bad electronic waUets. 

further transactions. 39 computer-implemented method as recited in claim 

32. A revocation system as recited in claim 31 wherein the 35 further comprising comparing a newly exhausted elec- 
list is stored locally on the electronic devices. Tronic asset to the exhausted electronic assets to detect a 

33. A method for detecting fraudulent transactions involv- match. 

ing electronic assets, the method comprising the following 4Q ^ computer-implemented method as recited in claim 

steps: 38 further comprising storing the list of bad electronic 

issuing non-transferable electronic assets; wallets on the electronic wallets. 

storing the electronic assets in electronic wallets; 41. A computer-implemented method as recited in claim 

spending at least some of the electronic assets contained 38, wherein the electronic wallets have associated 

on the electronic wallets by transferring the electronic certificates, the method further comprising broadcasting a 

assets from the electronic waUets to at least one recipi- list of certificates for the bad electronic wallets. 

42. A computer-readable memory storing a program 

exlrac'ting a sample of less than all of the spent electronic which directs a computer to perform the steps of the method 

. . as realed in claim 38. 

asse s» , ^ . . 43. A computer programmed to perform the steps of the 

detecting from the sample of spent electronic assets method as recited in claim 38. 

whether there is one or more bad electronic assets that 44. A computer-readable data stnicture for holding the list 

have been spent in a fraudulent manner; and of bad electronic wallets that is generated by the steps of the 
upon detecting a bad electronic asset, identifying an 65 method as recited in claim 38. 

electronic wallet from which the bad electronic asset 

was spent. ♦ ♦ ♦ ♦ ♦ 
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